This may depend on #1606794: Implement new routing system, but I don't think it does.
As discussed in Munich, one of the improvements we're able to make with the new Symfony-based architecture is that we can detect form submissions in a kernel.request event listener. That listener can detect the presence of a POST request with form ID, load the appropriate form, validate, it, and submit it, all without triggering the Matcher, any controllers, etc. It ends by setting a redirect response object (based on the form), which neatly short-circuits all of the rest of the page.
If a form does not validate, then the listener can flag the invalid information and allow processing to continue, or else do a direct forward() to the normal controller. (Details to be worked out in implementation.)
That is only a small win for a form that's in the body of a page, but a huge win for forms that are in blocks. Of course, in the new model the page vs. block distinction should be going away, which makes this a win for any form.
Assigning to effulgentisa since he's one of the people that volunteered to work on this. :-)
Comments
Comment #1
effulgentsia CreditAttribution: effulgentsia commentedCross linking #774876: Form cache entries can expire before their host page's cache entry, resulting in all AJAX failing and #597280: Introduce form registry to fix various problems and increase security. See #774876-11: Form cache entries can expire before their host page's cache entry, resulting in all AJAX failing for why.
Comment #2
sdboyer CreditAttribution: sdboyer commentedi am very curious about the approach we take to this, as these seems to be one of the first places we'll be tackling a "short circuiting" router that circumvents much of the heavy matching/routing process. an obvious best-approach to doing so has not jumped out at me in the time i've spent thus far with the routing system. my criteria are, roughly speaking:
Comment #3
Crell CreditAttribution: Crell commentedAre we going to be able to do this? :-)
Comment #4
mgiffordComment #5
pounardThis would mean anyone could be able to POST any form on any URL as soon as he/she knows the form ID, am I wrong or automating such this seems dangerous and may bypass a few access checks, that are mostly based upon URL or Controller ?
Comment #6
effulgentsia CreditAttribution: effulgentsia commentedYes, I think the only way to do this would be to introduce access control on forms. See links in #1.
Comment #7
mgifford@effulgentsia please feel free to assign it to yourself again. I was looking for issues that were largely inactive and had been assigned (but where no active development was being done).
Should this get moved to 8.1?
Comment #8
pounardI don't think it would be such a good idea, processing forms on arbitrary URLs goes against REST etc... It may induce behaviors that would appear random to a lot of people and make things really hard to understand.
Comment #9
Crell CreditAttribution: Crell at Palantir.net commentedThis could still be potentially useful, but I'm sure all of the metrics have changed in the last year based on the heavy rewriting of the render system.